Why Complex Password Requirements Don't Necessarily Make You Safer

We already know that most usersclever passwords arent protecting them from hackers.

Must use a capital letter, lower case letter, and a number.

Must use a special character like %, &, *, or !.

If a password cracker had access to better machinery, that time could be dramatically reduced.

And thats if youre cracking a password the hard way.

In reality, most people either consciously or subconsciously adhere to certain patterns when creating their passwords.

Crackers can use patterns like these to drastically reduce how much time it takes to guess an encrypted password.

This is also why longer password requirements dont necessarily make things better.

None of this is to say that complex passwords are inherently bad, or that its your fault.

Most websites you use simply dont adequately explain how complex your password needs to be.

If its something we can reliably remember, its probably something that a professional password cracker can figure out.

The only secure password isthe one you cant remember.

What you might Do to Defend Yourself

Redmans talk is aimed at security professionals and web admins.

It doesnt matter if you have a completely random 100-character password, if you used it on multiple sites.

Whatever your password was on LinkedIn, its out there now.

If a professional hacker cracks your password on one site, they have it on all of them.

Always,always,alwaysuse unique passwords for every site.

Password managers are perfect for this.

Check outour password manager comparisonto find one that works for you.

At the very least,use Chromes Smart Lock.

In that case, if possible,use a passphrase instead.

Rather than making a short password with weird rules, passphrases are long phrases or even sentences.

These can be easier to remember while also being long enough to trip up most password crackers.

Or at least trip them up enough to give up on you and move on to someone else.

Ideally, most sites would require this, but for right now its optional.

Its a minor inconvenience, but it can store your account if your password is ever cracked.

you could also let sites know that youre not happy when their security standards are lacking.

Companies dont always do whats best for their users security unless theyre prompted by user demand or cost.

If youre using a site with poor security, let them know.

Hopefully theyll get their act together.